Episode 74 of the Public Key podcast is here! The “Cyber Underground” is an organized marketplace for money mule networks, malware exploit development, and ransomware. In this episode, we speak to Michael DeBolt, Chief Intelligence Officer of Intel 471, to tell us everything that is happening in the cyber underground and how to protect ourselves.
You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 74.
Public Key Episode 74: The cyber underground is well organized and driven by supply and demand
The “Cyber Underground” is an organized marketplace for money mule networks, malware exploit development, and ransomware.
In this episode, Ian Andrews speaks to Michael DeBolt, Chief Intelligence Officer of Intel 471, as he updates listeners about the cybercriminal underworld and the role of threat intelligence in combating cyber threats.
Michael explains how with the increased activity of ransomware actors and other cyber attacks, cryptocurrency has become the de facto means of payment.
The discussion emphasizes the importance of collaboration between the public and private sectors in disrupting cybercriminal networks and the emerging risks associated with ransomware and third-party vendors.
Quote of the episode
“I don’t believe that anything is untouchable. I don’t believe that anything is immune to disruption in the cybercrime ecosystem.” – Michael DeBolt (Chief Intelligence Officer, Intel 471)
Minute-by-minute episode breakdown
- (2:03) – Overview of Intel471 and their role in tracking cyber threat actors
- (6:18) – The concept of the dark web and the cyber underground
- (10:20) – Examples of cybercrime activities and their varying levels of sophistication
- (15:06) – Collaboration between public and private sectors is crucial for defense of cyber attacks
- (18:25) – What does a takedown of a darknet marketplaces consist of?
- (22:02) – Threat actors using instant messaging platforms for peer-to-peer trades
- (25:43) – Diverse team with technical and linguistic expertise tracks cybercrime
- (29:37) – No major decline in cybercriminal activity due to global events
- (31:22) – Emerging cyber attack and third-party vendor risks
Related resources
Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.
- Website: Intel471: Fight Cyber Threats. And win.
- Research: Cyber Underground Handbook: Intel 471 General Intelligence Requirements (GIR) Framework (Download Now)
- Report: The 471 Cyber Threat Report 2023-24
- Workshop: A Free Hands-On Workshop with Intel 471: Building an Intelligence Plan
- Blog: Insights from CLOP’s MOVEit Extortion Attack
- Blog: How Gray Market Cryptocurrency Exchanges Fuel Cybercrime
- Blog: The U.S. and U.K. Sanction 11 Members of Russia-based Ransomware Group Trickbot
- Blog: The 2023 Global Crypto Adoption Index: Central & Southern Asia Are Leading the Way in Grassroots Crypto Adoption (Reserve Your Copy Now)
- YouTube: Chainalysis YouTube page
- Twitter: Chainalysis Twitter: BuildCareers at Chainalysising trust in blockchain
- Tik Tok: Building trust in #blockchains among people, businesses, and governments.
- Telegram: Chainalysis on Telegram
Speakers on today’s episode
- Ian Andrews * Host * (Chief Marketing Officer, Chainalysis)
- Michael DeBolt (Chief Intelligence Officer, Intel 471)
This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company.
Transcript
Ian:
Hey everyone, back with another episode of Public Key. On this podcast, we talk a lot about underworld, cyber criminals, the dark web, and I always feel like I don’t know enough on this subject. So for today’s episode, I’m joined by Mike DeBolt, who’s got maybe the best title that we’ve ever had on the show, Chief Intelligence Officer at Intel471. Mike, welcome to the podcast.
Michael:
Hey, thanks for having me.
Ian:
I have to ask Chief Intelligence Officer, what do you actually do?
Michael:
Well, I was trying to go for intelligence czar but that didn’t fly, so we stuck with Chief Intelligence Officer. So I’m on the exec team here at Intel471. I have the privilege and the honor to lead our over 80 person intelligence function. So I have researchers, technical specialists, collection managers who engage directly with our clients, and we have an analyst team as well. So they all combine into this one awesome team that I get to lead every day.
Ian:
Talk a little bit about for people that haven’t encountered Intel471 before, what the actual business is, and then we’re going to go, I think much deeper into the technical side, but what do customers look to you to provide them?
Michael:
So we make it our business to track cyber threat actors on the ground. And so by that I mean we are intimately familiar with who the main players are operating in the underground, what services they offer, the infrastructure they use, the malware they use, the attack vectors they employ. And because we painstakingly map this space out, we are able to provide all these really timely and relevant insights, intelligence to our customers. And I like to say that we’re essentially our customer’s eyes and ears into a very vibrant and active and kind of hard to reach space. It’s hard to wrap your head around.
And so one of the ongoing challenges that most organizations have when they start to think about the underground is where to start. How do I know if something is important to me? There’s all of these different actor handles, all these different forums and instant messaging platforms. There’s a lot going on and there’s a lot to sift through. So we make it our business not to just become intimately familiar with who the bad guys are, but then we also take that next step to reduce the noise by stacking and ranking and categorize what’s the most important. And we distill those insights into something that our customers can action or operationalize to protect themselves.
So this could be, just to give you an example, it could be anything from our assessment of the most common Mitre attack techniques that are being used out there by initial access brokers, because a big thing right now, or it could be one of our sensitive sources that we have that have gained initial access into or gained access into a closed chat group. And we’re observing in real time credible threat actors who are talking about their next attacks against an organization who happens to be one of our clients or one of their third parties. So then we have a platform that our customers log into and they access these insights and my team is always working behind the scenes to infiltrate hard to reach places, identify trends, and ultimately pass that information along to our clients who represent multiple industries and geographies, both in the private and the public sector.
Ian:
I was going to ask, most of your customers I would assume are chief information security officers, the people protecting their organization from these cyber threat actors, or is it other people too?
Michael:
Yeah, no, most of our clientele is going to be cyber threat intelligence teams. Obviously the cyber threat intelligence team, if it’s doing their job, they’re reporting to the CISO either directly or through their chain of their chain of management. So yeah, that’s primarily our client place, our bread and butter as a cyber threat intelligence team.
Ian:
I mentioned at the outset that this has become an interesting area for me because as I’ve gotten further into the world of cryptocurrency, it seems like cyber crime and crypto have become increasingly intertwined over time. The payment for information and access is now done in crypto. Ransomware, obviously, which is a hot topic seemingly nonstop for the last few years, ransom payments being made in crypto. Is that consistent with your observation as well? Is crypto now the defacto means of payment for services in the cyber threat actor world?
Michael:
Oh yeah. Hands down, and we’ve seen some interesting trends on the heels of these centralized exchanges that have been taken down or sanctioned, but by far threat actors are using cryptocurrency to facilitate their ill-gotten gains and to profit. A couple of interesting things. We’ve seen some of these centralized gray market exchanges as kind of a knee-jerk reaction to these sanctions and these take-downs attempt to seem legitimate and avoid scrutiny by, they’ll have a website that says that states that their services are not being used for illicit purposes and they’re actually creating a social media presence and a clear web presence making it look like everything is fine and there’s nothing going on here. But at the same time, with our access and our visibility, we’re seeing that these same services, these exchanges are being advertised like a lot in the cyber crime forums. So I think they’re going to get discovered pretty quickly. This is just a veiled attempt at them trying to make themselves look legitimate in the face of some of these sanctions that are coming down.
Ian:
Realizing that we have a wide range of technical expertise and experience in our listeners. Maybe we could take just a step back and when we talk about the dark web, what actually is that? I actually had somebody ask me the other day, they’re like, “Hey, is the dark web still a thing? Are there still people out there operating on the dark web?” And I was like, “Yeah, absolutely.” But you’ve mentioned forums and initial access brokers and contextualize this a little bit for somebody that’s maybe never used Tor or an onion browser or something like that. What are we really talking about here?
Michael:
Yeah, so I have to be careful here. Anytime somebody says dark web or deep web to me, I cringe a little bit.
Ian:
Oh, good. I didn’t even know. So I’m not up with the lingo.
Michael:
Maybe I should have warned you. Well, so here’s the deal, it’s not dark, it’s not deep. It’s actually really well organized, this cyber crime underground. And so here’s what I would say. I would say the best way to conceptualize the cyber underground is by looking at it through a business lens. So just like any legitimate market, the cyber underground economy exists because of supply and demand. That’s pretty obvious. There’s a readily available supply of illicit products, services, goods that enable and they prop up this ecosystem. And that’s because there’s a steady demand from buyers all around the world across all maturity spectrums that are seeking these things to further their profitability and their moneymaking schemes. And this runs for us in what we’re focused on. It runs the gamut of cyber crime. So think about things like phishing money, mule networks, malware, exploit development, and of course ransomware as you already mentioned.
So if you think about it from a business lens and this whole supply and demand reality that we live in, this comes with go-to-market competition, it comes with the need for brand recognition and innovation and partnerships and quality assurance, customer service. We even saw with some of the Conti ransomware leaks that happened a while ago, threat actors standing up human resources to help manage payroll for their threat actors. So that’s on the supplier side, but then you have on the consumer or the buyer side who are coming into this ecosystem. If I’m a buyer or a consumer, I really have access to whatever I need, whether I’m, like I said, a newcomer actor who’s trying to learn the ropes and maybe upskill myself or I’m a mature actor who is coming into the space looking to form partnerships to expand my portfolio or increase my bonafides.
It really has everything for anyone regardless of maturity, looking to conduct all different types of cyber criminal activities. And so all of this really creates what I would consider a gold mine for intelligence collection where we can establish coverage over this space. We can really become intimately familiar, acutely familiar with who the big players are right now, and then we can sort of monitor this as we go and identify where the state changes are and be alert to what’s coming next. Who are the next guys who are coming in and being the big dogs on the block, right?
Ian:
Yeah. I think to contextualize it even a little further, there was a trending article that I caught in one of the newsletters I read every day that said right now there is an increasing trend on phishing attacks using kind of wallet theft software. So you connect your crypto wallet to a website and it will basically sweep the contents out of the site. So semis sophisticated attack, but all the tools necessary to do that are available for hire. You basically buy a kit and anybody with a basic technical knowledge could stand this up. And what the article was suggesting was that most of the people who are running these scams right now are actually teenage kids who are then using the proceeds of the stolen NFTs and crypto to buy skins in Roblox.
Michael:
Yup.
Ian:
And so you’ve got that as one end of the spectrum. And then on the other end of the spectrum, we saw the Hydra Darknet Marketplace that got taken down last year. I mean billions of dollars in annual revenue doing everything from money laundering to selling guns and drugs and stolen documents and everything else. You could imagine really a full service marketplace like you would think of as any other large scale eCommerce platform on the internet. That’s the range of user and activity sophistication you’ve got happening here, right?
Michael:
Yeah, absolutely. And you can’t focus on everything, right? It’s impossible. What is the term? You can’t boil the ocean, right? So we spend a lot of time just really trying to identify, well, first of all, categorize the threat. Are we talking about an infrastructure provider? Are we talking about a service provider? Is this a phishing as a service and we sort of use to help steer our efforts? What is the impact that these services are having? How are they enabling the vast majority of cyber crime to occur? And then so once you have your stacked ranked list of things that are ultimately, there’s a lot of stuff going on, but ultimately there are only maybe a handful if you just separate each one of these threats into their categories, a handful of really prominent services across this space that are really enabling the vast majority of cyber crime to happen. So once you kind of understand that space and understand who the actors are behind it, what their motivations are, what their intent is, what their capabilities are, then you can start to get at least a starting point into protecting yourself against them so you’re not having to feel the overwhelming weight of having to protect yourself against everything.
Ian:
I often think about this challenge in the context of what’s my threat profile, either as an individual or as the company chain analysis. How much appetite and interest would somebody have in attacking us? And for some reason I categorize maybe nation state actors as slightly different than the profit seeking run-of-the-mill cyber criminals. Is that a reasonable way to segment behavior and motivation there, or is it really a blurry line between somebody that’s employed by a government and those that are maybe more profit motivated?
Michael:
Over the years, over probably the last 10 years or so? We’ve seen that line blurred quite a bit, and it makes sense, right? If you’re a nation state threat actor who’s working at the behest of your government, certainly there’s going to be some unique tooling and unique infrastructure that you’re going to use that’s much more sophisticated. But then there’s also, as you said, there’s a plethora of off the shelf tools, commodity stuff that you can use in this underground that can help you hide in the noise, if you will, so that you can look as though you’re just another financially motivated threat actor. And so sometimes we see them peek their head above the ground and we are able to sort of say, okay, well that’s probably an actor who is maybe not working at the direct tasking of a government, but is certainly motivated or aligned with a government’s intentions. And so those are interesting. But I would say you mentioned your sort of threat profile. What do you focus on as an organization?
I think one of the things that we don’t do ourselves, a good service on threat intel side is that we often conflate risk with threat. So you could have the most sophisticated threat out there, the most sophisticated APT actors who are very, very active and persistent, but that might not actually be a risk to your organization at that given time. Maybe it’s because they’re targeting a certain vertical or a certain geography that your organization isn’t in. And so you can kind of see where you have a sophisticated and persistent threat, but that is not going to immediately equate to a risk that you have to action in your organization. So just being conscious of your risk profile within your organization, being conscious of what are your crown jewels and what are you actually trying to protect? And then looking at the threat side, being aware of what the threats are out there obviously, but also what are their targeting right now and in the future is really going to help organizations assess their actual true risk.
Ian:
This is a great point, but it seems really difficult in the current moment where we have this rash of ransomware, the MOVEit vulnerability, and it looks like people who were school districts, county government offices, like state and local municipal functions, not organizations that I would think of as having deep pockets and therefore able to pay their ransomware fee or necessarily having a cyber insurance policy that’s going to pay out. Now, maybe there’s soft targets in that, hey, they just aren’t that sophisticated on the defensive side, but it does seem a little bit like the target selection is almost a little bit random. Maybe you have more insight in either this specific case or the general one about how does someone end up in that situation?
Michael:
Yeah. Well, I think we’ve got to be careful here. This particular MOVEit vulnerability exploitation was a mass exploitation exercise on behalf of CLOP. And so it was, as you said, it was very opportunistic. They’re looking across the internet for MOVEit vulnerabilities and then really taking advantage of that. And then it is been an sting change of technique for them to use emails to basically say, if you’re one of the victims, email us and then we’ll start the negotiation. That’s different from them actually deploying ransomware on the victim machine and then a ransom note popping up and them directing a negotiation through a tour channel is a different technique. And I think it’s just because of the nature of the vulnerability that was exploited. But I mean outside of that kind of corner case, the essence of what you’re talking about is true. I mean, financially motivated actors just in general are opportunistic.
You certainly have the more sophisticated actors in the groups out there that are targeted in the sense that they know what they’re after, whether it’s an industry or maybe it’s a victim demographic, that they’re only going to go after victims that have annual revenue of 500 million or more. I’m just making that up. But they have certain parameters that they’re going to use to help prioritize what they’re going to be dropping ransomware on or ultimately attacking. But the vast majority of cybercrime actors out there are opportunistic. They’re going to take whatever they can whenever they can.
Ian:
And so then for people who are trying to protect their organization, whether it’s running a cryptocurrency exchange or a Fortune 500 enterprise, what are the tactics that you would suggest they focus on? What’s the important stuff versus the noise that they can kind of safely skip past when it comes to not ending up in the cover of the newspaper as a victim of one of these big ransom-
Michael:
I suppose you’re not going to let me off the hook by me saying, allowing me to say it depends, right?
Ian:
I’m not going to give you that much rope.
Michael:
That much rope? Okay.
Ian:
But obviously it’s a broad and open-ended question, so I’m curious if you’ve got some particular insight just given how close you and your team are to some of the operators, if there’s any tactics you can recommend.
Michael:
So I mean, let’s talk about the good news a little bit, and I’ll take a step back here. Information sharing between like-minded governments is at an all time high, and I think we need to celebrate that. And also between the private and public sectors as well. I mean, for the longest time, the public sector, and I can say this because I originally came from this space, the public sector was disillusioned to think that we can basically solve everything on our own and impose costs on the bad guy single-handedly without the help of private sector. And so while yes, the government has access to information that the private sector doesn’t, the inverse is also true, the private sector specialized vendors like us and chain analysis and others, we have subject matter experts and we have visibility into hard to reach places. So this creates a really excellent opportunity for both sides to share intel work together, and we’re seeing more and more tangible benefit and outcomes from these take-downs and these arrests.
And I think this is going to continue and become even more frequent. But the other side to this is yes, the cyber underground is resilient. It has many overlapping interdependent services. It has multiple forms, chats that actors can move in and through with relative ease. And really if any of these go down, it’s only a matter of time before its replacement comes online to fill the void. So I think what this means for us is that we have to sort of shift our success criteria for what it means to disrupt an actor. The ultimate disruption is going to be taking something down for good. I think no one’s going to argue about that, whether that’s an actor themselves being arrested or their infrastructure being dismantled. But this happens few and far between. So what I would say is let our disruption goal, if you will be anything that makes the actor divert from their original plan, anything that imposes cost.
So we really want to keep the actor on the run. We want to keep them uncomfortable. Second guessing, we want to keep them off target, not on target. So this could be going back to your original question. This could be a set of small incremental controls in your environment, something like MFA, multifactor authentication, I know that’s simple, but that’s effective. It could be blocking a network range being used by the actor. Or for us at Intel471, it can be something simple but effective, like using one of our sources to engage the actor, cast maybe a little bit of subtle doubt in their operations. So these are very small, these are very tactical things. Maybe they’re not going to reach the headlines, they’re not going to be on C NNN or anything like that, and they’re not going to maybe have huge amount of individual impact, but in aggregate, they amount to enough impact that the actor’s going to look for something a little bit more lower hanging, a little bit more opportunistic. So I think let’s continue to focus on the big get me wrong. We definitely need to do that, but also stay diligent, stay in the weeds on the small things and make things harder for those actors to achieve their goals.
Ian:
It sounds like you’re saying, “Hey, defense alone is not enough. We’ve got to take the opportunity to play offense.”
Michael:
That’s right.
Ian:
And that’s not purely the role of government. It actually requires collaboration between public and private sector, between industry, between the companies who are the ultimate victims. In many of these cases, if that collaboration’s not happening, we’re just making it too easy for the bad guys to be successful.
Michael:
That’s right. That’s right. And being really good at prioritizing what’s going to actually move the needle to help defend ourselves. Because we can’t, it’s just not possible to protect against everything. So knowing what’s most important at any given time, what’s most impactful, and then designing your controls and your detections off of that is going to move the needle for us.
Ian:
So let’s talk about some of these. There’s been some notorious dark net markets that I think most people have probably heard of going back to Silk Road, probably the first one that really got on outside of the experts in cybersecurity, kind of on their radar last year, we saw the take-down of the Hydra Marketplace. AlphaBay is another one that probably some people have heard of. When one of these takedowns happen, what is actually being done? Because often it doesn’t seem like individuals are necessarily arrested. Sometimes it’s just infrastructure seizure. Can you maybe walk us through one of those specifically or in a more general context, what does a takedown of a marketplace entail?
Michael:
Yeah well, some are cleaner than others in the sense that everything is taken down, the actor is arrested, the infrastructure is taken down. Obviously we had that happen with Silk Road and other times, especially for the perpetrators being in hard to reach places who don’t cooperate with US or [inaudible 00:25:10] law enforcement, it’s a matter of taking down the infrastructure momentarily while also, like I said, imposing costs on the bad guy who happens to be sitting in a place where we can’t put cuffs on. And then really everything in between. So I think the way I would answer that is that those are all success stories, and a lot of this is actually happening behind the scenes. I’m in a lot of trust groups. I hear a lot of onesie, twosie type disruption activities that the cybersecurity industry is imposing on the bad guy, and it might take down a domain or it might take down a piece of infrastructure momentarily.
Of course, that’s not going to go into the news, and it might not even be actioned by law enforcement, it might be somebody in the private sector doing that. But to me, that’s a success. And over time, if you continue to do that, you continue to cast out in the actor’s operations. Maybe they move to a new technique that is a little bit more risky for their operations because you’ve sort of caused them to make that move and cause them to be uncomfortable. So I would say let’s continue to look at every single opportunity we can to make things harder for the bad actors.
Ian:
Well, and I think this is where the partnership between our two companies starts to get interesting, because if I’m thinking about offensive activities to disrupt criminal networks, not just in the cyber domain, there’s almost always an element of follow the money. If you can either take the criminal’s money or disrupt the flow of funds going to them, you can make a big dent in their operation. You can either make it unappealing for them to continue in the venture or more than that. And so knowing that everybody is in is using crypto, it’s the defacto way to exchange funds between these organizations. That is such an interesting vector for exploiting weaknesses in their networks. I mean, we’ve seen with a number of the Russian ransomware gangs, they were using a common money laundering operation that treasury department ended up sanctioning. But I mean these folks had cleaned a few hundred million dollars worth of ransom crypto. And so I think this is where the intelligence gathering work you’re doing combined with the on chain intelligence that we’re able to produce is such a powerful set of capabilities for organizations that are trying to go on offense here.
Michael:
Yeah, I mean, you said it. It’s all about the money. What does Tom Cruise say? “Show me the money.” I dated myself a little bit there, but it is, it’s all about the money. And I might be a little optimistic here or maybe a little naive, but I don’t believe that anything is untouchable. I don’t believe that anything is immune to disruption in the cyber crime ecosystem. I think it’s just a matter of us, the good guys, positioning ourselves in a way where we can see those wallet addresses, where we can see those IDs. And then like you already said, Intel471 and chain analysis like we’re already doing, working very closely together to action those when we do see them and then pull on that thread and follow what they’re doing and pivoting from there and painting a really clear comprehensive picture about who these actors are and what we can do to really put their funds at risk. Once their funds are at risk, it changes the game for them. So if we can create that chaos for them, all the better.
Ian:
Well, and I think for people that are in either the investigative or the compliance space, this is why you’re so important to this equation. You may not think of yourself as a cyber investigator or a cyber defender, but the reality is all that money flowing through this threat actor ecosystem, ultimately they want to cash it back out to some hard currency. And these days it’s increasingly few and far between exchanges that will allow anonymous accounts, particularly those that can cash out back to a fiat source. That’s where compliance teams understanding where these funds are coming from, being able to understand, oh, this looks linked to ransom payments or it looks linked to dark net market activity, shutting that off and not allowing it to transit through a platform. It has a direct upstream impact on this ecosystem.
Michael:
Absolutely. And the actors are going to, I’ll give them this, they can be innovative, they can be creative. I already mentioned, and that’s not me giving credits the bad guy, by the way. So don’t edit this. And …
Ian:
That’s our pull quote right there. We use that.
Michael:
Yeah, I can just see the headlines, but like I said earlier, one of the interesting trends that we’re seeing is this movement to instant messaging chat platforms to do peer-to-peer trades, telegram, but to a lesser extent, discord. And so this was something that we saw before all of the sanction activity and the actions against these centralized exchanges. But we definitely saw an uptick in actors once these sanctions and their funds were at risk really recognizing, Hey, maybe I need to be doing something different so that I can protect my money laundering operations and be able to cash out ultimately. So now they’re using these chat platforms to trade crypto assets directly with another threat actor that there’s a whole vetting program you can pay to be a VIP. So there’s a little bit of a, I’m using trust in the bunny quotes here, there’s a little bit of a trust there, but it’s also done with some sense of relative anonymity and threat actors like that.
And we’ve also seen a handful of these services support transfers between crypto into local currency like Russian rubles that can be deposited and then cashed out via bank transfers and ATM withdrawal. So they’re always going to find a way, and our job is really to kind of, if we can get there before them, that’s great. It’s not always going to be that case, but at least we’re tracking them moment by moment, real time so that we can set up coverage. Automated coverage is what we do. We set up automated coverage of these chat platforms, but we also have human sources as well that go in and they engage with these threat actors so that we can watch their activity, we understand what they’re doing so that they don’t go completely unnoticed.
Ian:
I have to ask those human operators that you have doing intelligence collection and undercover, what is the profile of one of those people? Where do you recruit your team from? If I wanted to become one of these people because the job sounds kind of interesting, what sort of skills do I need to have?
Michael:
Well, you can check our career page if you’re interested.
Ian:
We’ll link to it in the show notes. I might be in the market here. We don’t know.
Michael:
Remember I said earlier, our bread and butter is really our on the ground research that we do our on the ground coverage of threat actors. We have a platform and we do automated coverage across the space too, so our clients can see alerting. And that’s really important. We can’t capture everything, but really the in-depth detailed research and insights come from these researchers. And so the DNA of these researchers are really across the board. A lot of them come from former law enforcement, former security services, some academia industry, cybersecurity industry. And what they all have in common is they each have native language proficiency in the places that we have them that are a very close proximity to the threat actors that we are tracking. So we have Eastern European teams, we have South America teams, we have a team in the far East, so they have native language proficiency, and they also understand the cultural aspect of their intelligence collection.
So that I always say when I’m talking to people who maybe are getting introduced to this at first is that you and I cannot walk. Well, maybe you can, but I certainly can’t walk into a Hell’s Angels bar in California looking like this. I’m going to get spotted pretty quickly and probably kicked out. So you have to, it’s the same is somewhat true in the cyber underground. In order to get into these closed vetted places, in a lot of cases, you have to know somebody. You certainly have to be able to speak the language and also know the nomenclature and the slang. So I’m thankful for people in the US who are native English speakers who go and go to school and become Russian linguists, right? And that’s very helpful. But that only gets you so far in this space. You have to know the slang, you have to know the nomenclature, you have to know the culture. And so that’s the type of people that we have really in the weeds and on the ground tracking these threat actors.
Ian:
That’s amazing. And so do you get some of those people who come in without technical knowledge or do you also have to find people that have everything you just said as well as being some level of depth into cybersecurity?
Michael:
Yeah, I would say that the team is quite diverse. We have people who have both certainly native language proficiency, and they’ve been doing this for a long time and they just understand more of the technical aspects of how malware works and infrastructure and all of those things. But then we have people who come from academia who have that are really, really sharp, but they have the native language proficiency. We also have a dedicated linguist team, a linguist analysis team that’s built a dictionary over the past eight years of it’s, we can kind of touch into that and reference that every once in a while, English speakers who need a translation assist every once in a while can go back and say, “Okay, well that’s what that means. And that’s what that means.” So those are people who come very, very smart, who speak multiple languages, but they don’t have necessarily the subject matter expertise in the cyber crime world when we first bring them on board and they just learn that and we teach them that.
Ian:
Such a fascinating job. Very different than my day job and one that seems pretty exciting. I’m curious, we’ve had obviously a ton of global disruption over the last few years from the pandemic to now Russia’s invasion of Ukraine. When these major global events happen, what do you see changing, if anything, in the behavior of some of the threat actors that you’re following?
Michael:
So ultimately, we haven’t seen a major lasting decline in cyber criminal activity since the invasion started. I mean, most of the impact has been seen as a result of the things that we’ve been talking about. Really the sanctions work being done, going after those illegitimate exchanges, and then actors trying to figure out what they’re going to do next. We have seen a few interesting corner cases where certain Russian language threat actors have been called up to fight on the front lines, and then we’ve never seen or heard from them again. So I guess case solved there. Back during COVID, we saw a handful of actors we were tracking that claimed that they had fallen ill and had taken a short break. There was one time where we had an actor reference another actor that they had been doing business with that he died, he or she died from COVID. So on the one hand, we’re not seeing any major trending impact, good or bad on the cyber crime ecosystem as a result of some of these major events. But it’s a reminder that we’re dealing with actual human beings here who are affected by real life environmental factors. And this is something that we at Intel471 are always tuned into here, and we try to use that to our advantage when it comes to rapport building, intelligence collection opportunities and everything in between.
Ian:
Yeah, I have to imagine that you all are also a target yourselves. You have a brand, you’re not a secretive company. You’re on the podcast here, so you’re out there. Has there ever been any retaliation or folks trying to target you directly? The company I mean, not you specifically.
Michael:
Yeah, I mean, we get the average, the normal stuff. We get the phishing campaigns. There hasn’t been anything that’s been super targeted against us, and I don’t know if that’s because maybe we’re not doing a great job of marketing ourselves in those particular areas. But no, and it’s actually kind of surprising. So we do take a great deal of care into what we do communicate in all seriousness, what we do communicate in our blogs and in things like engagements like this, because we do operate in kind of an interesting gray area, and we want to make sure that we are protecting ourselves as well, and our clients for that matter. We take a great deal of care and making sure that we don’t skyline our customers or anybody, any partners or anything that we’re working with.
Ian:
Yeah, I would imagine that your trusted relationships with all your customers would be kind of the valuable asset that if a threat actor might get interested in.
Michael:
Absolutely. Yeah.
Ian:
You all recently published something called the Cyber Underground Handbook. Talk to us about that. What’s that asset? Who should go read it?
Michael:
So the Cyber Underground Handbook is something, it’s actually been around for a little while. What it is it’s a handy reference tool for really CTI professionals who are looking to either refine their cyber threat intelligence program or build one from the ground up. So I would encourage anybody who is really looking to advance their program using a requirements driven approach. So maybe you have more than three stakeholders within your organization that you as the Intel team need to service or provide intel for, and you’re having a hard time kind of prioritizing. This is a very, very common thing. And even something that we dealt with at Intel471 when I first came on board is how do we prioritize all of our customer’s needs and our stakeholders needs? And so this is one way, this handbook using general Intel requirements to help you sort of get started with that aspect of it. So I’d encourage you to take a look at that. It’s free. We also do a workshop every quarter. I actually do it with one of our awesome folks here on my team, and we run through how to operationalize that handbook. So I’d encourage you to take a look.
Ian:
Yeah, we’ll link to both in the show notes so that folks can find that and have a way to maybe progress out of this conversation if they’re in the early stages of developing their own program. Last question as we wrap the discussion. It feels like it’s been a busy year, and we’re not quite halfway through the year, Genesis Marketplace got taken down and then came back to life. MOVEit that we talked about earlier, the big ransomware attack that’s ongoing right now. I would have to imagine you’re actually probably seeing a little bit ahead of what everyone’s experiencing in the market where you’re maybe thinking about things that are really only going to become apparent a few months down the line. What’s keeping your attention right now as much as you can share, and perhaps what would you encourage people to direct some of their attention to as they look out on the horizon?
Michael:
Right. So I’ll say that predictive analysis, assessing what’s coming next and making a high confidence sort of forecast is always the Holy Grail of threat intel. And it’s not always possible. It’s like the hardest thing to do.
So here’s how I would answer that is we’re always staying really close to the ground floor when it comes to what our customers are saying is important. And then we also cross-reference that against what we are seeing from our vantage point ransomware. It’s not going away anytime soon, unfortunately. So that of course continues to be an important topic to cover down on. But one thing I think that really seems to be on everyone’s mind and for good reason is the third party vendor supplier risk challenge. This is something that we talk about really every day at Intel four one, and we talk about it internally. We talk about it with our clients, and we have a couple of intel streams that help our clients get a handle on this. But this remains a challenge in our very interconnected world of supply chains and vast amounts of data circulating everywhere without really any control. So this is something that we’re going to focus on continually in the coming weeks and months ahead. Tactically, strategically, how can we get relevant third party insights like breaches and alerts into the hands of customers in a matter, in a manner that enables quick action and helps them reduce their attack surface?
Ian:
Yeah, I mean, securing the software supply chain seems like the problem of our age right now. It’s just there’s so much software deployed. The complexity of that software is greater than it’s ever been. There’s so much open source software. So you have teams building software that you buy maybe or run as a service, and they’ve pulled in upstream dependencies from open source packages, which in some cases they may not understand or may not be maintaining effectively. And so you have these third and fourth layer hidden dependencies that may be not at all visible or even testable from the consumer point of view, the end user standpoint. And it doesn’t seem like there’s an easy answer here other than Yeah, that’s a big challenge. Yeah, I mean, it almost requires everyone to up their game across the board, any weak point in the entire food chain becomes a exploitable vulnerability.
Michael:
And not to pile on to the issue, but we’re tracking hundreds and hundreds of breaches from the cyber crime underground. And that could be anything from a ransomware leak blog mentioning a victim to initial access brokers whose sole job, we had this whole sub economy of actors who their only job is to go find network accesses to remote access points like VPNs and RDP, and they go and they turn around and they sell that, or they’ll work directly with a ransomware group that they’ve made a relationship with. And so the exhaust of that is that we have hundreds of these breaches impacting hundreds of unique victims. How do you wrap your mind around whether one or one of those victims are a third party vendor or supplier of yours, and how do you do it in a manner that’s streamlined and you’re not having to sift through everything? So those are the challenges that we’re facing right now, and we have a really good handle on it, and we’re enabling that kind of support for our customers. But like I said earlier, the bad guys are always innovating, and I think we need to be always doing the same thing and staying one step ahead.
Ian:
Well, Michael, keep up the good work. We all need you out there on the front lines of this, you and your team. This has been a fascinating conversation. I really appreciate the time today.
Michael:
Likewise. Thanks for having me. I appreciate it.
Ian:
Yeah, you bet.